From 920c7fe71a8d11a7871a28d3ed0905c555260d11 Mon Sep 17 00:00:00 2001
From: mio <mio@lazym.io>
Date: Wed, 9 Apr 2025 20:18:14 +0800
Subject: [PATCH] Fix sand due to default schedule change

---
 include/coverage-32.h | 15 +--------------
 include/coverage-64.h | 15 +--------------
 src/afl-fuzz-bitmap.c | 20 +++++++++++++++++---
 3 files changed, 19 insertions(+), 31 deletions(-)

diff --git a/include/coverage-32.h b/include/coverage-32.h
index f5b0056f..9932f240 100644
--- a/include/coverage-32.h
+++ b/include/coverage-32.h
@@ -69,20 +69,7 @@ void simplify_trace(afl_state_t *afl, u8 *bytes) {
 }
 
 inline void classify_counts(afl_forkserver_t *fsrv) {
-
-  u32 *mem = (u32 *)fsrv->trace_bits;
-  u32  i = (fsrv->map_size >> 2);
-
-  while (i--) {
-
-    /* Optimize for sparse bitmaps. */
-
-    if (unlikely(*mem)) { *mem = classify_word(*mem); }
-
-    mem++;
-
-  }
-
+  classify_counts_mem((u32 *)fsrv->trace_bits, fsrv->map_size);
 }
 
 /* Updates the virgin bits, then reflects whether a new count or a new tuple is
diff --git a/include/coverage-64.h b/include/coverage-64.h
index 22aa37f4..376658d5 100644
--- a/include/coverage-64.h
+++ b/include/coverage-64.h
@@ -63,20 +63,7 @@ void simplify_trace(afl_state_t *afl, u8 *bytes) {
 }
 
 inline void classify_counts(afl_forkserver_t *fsrv) {
-
-  u64 *mem = (u64 *)fsrv->trace_bits;
-  u32  i = (fsrv->map_size >> 3);
-
-  while (i--) {
-
-    /* Optimize for sparse bitmaps. */
-
-    if (unlikely(*mem)) { *mem = classify_word(*mem); }
-
-    mem++;
-
-  }
-
+  classify_counts_mem((u64 *)fsrv->trace_bits, afl->map_size);
 }
 
 inline void classify_counts_mem(u64 *mem, u32 size) {
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 0d3a1609..0ab5e307 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -552,7 +552,17 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
 
     if (unlikely(afl->san_binary_length) &&
         likely(afl->san_abstraction == UNIQUE_TRACE)) {
-
+      
+      // If schedule is not FAST..EXPLORE, we need to classify here
+      // Note: SAND was evaluated under FAST schedule but should also work
+      //       with other scedules.
+      if (!classified) {
+        classify_counts_mem(
+        (u64*)afl->fsrv.trace_bits,
+          afl->fsrv.map_size
+        );
+        classified = 1;
+      }
       cksum_unique =
           hash32(afl->fsrv.trace_bits, afl->fsrv.map_size, HASH_CONST);
       if (unlikely(!bitmap_read(afl->n_fuzz_dup, cksum) &&
@@ -615,8 +625,12 @@ u8 __attribute__((hot)) save_if_interesting(afl_state_t *afl, void *mem,
 
       /* If we are in coverage increasing abstraction and have fed input to
          sanitizers, we are sure it has new bits.*/
-      new_bits = has_new_bits_unclassified(afl, afl->virgin_bits);
-
+      if (classified) {
+        /* We could have classified the bits in SAND with UNIQUE_TRACE */
+        new_bits = has_new_bits(afl, afl->virgin_bits);
+      } else {
+        new_bits = has_new_bits_unclassified(afl, afl->virgin_bits);
+      }
     }
 
     if (likely(!new_bits)) {